Chapter 10 Flashcards
Define cyber risk
Any risk of financial loss, disruption of business, or damage to an organization’s reputation due to a failure of its information technology systems
What seems to increase as businesses rely on technology, information systems, and the internet of their daily operations?
Organizations are increasingly vulnerable to financial loss when the systems fail. Cyber risk threatens an organizations ability to operate, its profitability, and its reputation.
List three categories of cyber attack risks
- Deliberate and unauthorized breaches of security in order to access information systems for the purposes of espionage, extortion, or embarrassment of an organization, such as ransomware to lock businesses out of their system until they pay rent them, malware including viruses, worms, or spyware, and online phishing scams
- Unintentional or accidental security breaches, as losing a memory stick or a laptop
- Operational it risks, such as failing to install firewalls, keep security software up to date, or select passwords that are unique and difficult to decode
List six situations that create a cyber risk for an organization
- A rapidly spreading virus is released on the internet and infects an organization system when an employee clicks on the link to the site
- An employee’s laptop is stolen from his or her vehicle
- Ransomware is embedded in the organization’s network, which shuts down access until a ransom is paid
- Hackers set up a program to randomly check the organization’s network security and crack employee passwords, which allows them full access to the company system
- A fake email is sent to employees asking them to send the CEO all the research on new technology the organization is developing
- An email is sent to a company asking to pay a fake invoice. And employee pays the invoice to an untraceable account and the monies are gone
List four direct losses in organization can face
- Costs to fix and restore systems duplicate data, and reinstall software
- Ransom or extortion payments
- Funds directly lost due to fraud
- Costs to defend and settle a lawsuits
List five indirect losses that result from direct damage the incident causes, for an organization
- Extra expenses - to manage the crisis, such as communications and public relations cost
- Accounting in other professional fees- to determine the extent of the loss
- Loss of competitiveness - if intellectual property like trade secrets are stolen and the organization cannot realize the profits it expected in the time period predicted
- Loss of business - if customers feel they can’t trust the organization to hold their personal information securely, causing them to move their business to other firms, if financial markets don’t believe the organization is well managed, the organization share value May decline
- Loss of opportunity - if the organization has to change its strategic plan, plans to grow or expand maybe delayed or canceled, or key employee resources may have to be redeployed to manage the crisis
Organizations need to integrate cyber risk management into their overall Enterprise risk management strategy. What two key areas need to be addressed?
- Behavior management
Cyber criminals manipulate individuals to open a door into a system by variety of methods such as fishing, or sending emails asking individuals to click on a link, embedding a virus or spyware in email attachments, spearfishing or sending targeted emails that appear to be a legitimate source, and setting up fake websites or infecting real websites that employees or individuals are likely to visit
- Systems and technology management
Every technology and system has weaknesses, cybercriminal setup programs to detect such weaknesses. For example, they use denial of service attacks, where Network or server is flooded with traffic to make it unavailable to users. Worms and viruses are used to take control of computers, generate money, steal sensitive information, or disable a computer or Network
A number of insurers have developed cyber risk and turns package policies that include coverage for the following perils
List 5 perils
- Third party liability
- Cybercrime
- Extra expense
- Business interruption losses resulting from a cyber attack or data breach
- Crisis Dash management counseling services. To guide the organization on how to manage communications after a loss
List additional perils that can be insured under cyber risk policies
- Theft of data resulting in a privacy breach
- Unintentional transmission of a computer virus
- Network systems that become unavailable to third parties due to a failure in security
- Allegations of copyright or trademark infringement, libel, slender, defamation, or various social media activities
List four optional cyber liability coverages
- Regulatory defense expense
- Punitive damages
- Arbitration expenses
- Criminal rewards for information leading to the arrest and conviction of the cyber criminal responsible for the loss
List exclusions to cyber risk insurance
Cyber risk insurance typically excludes hard to quantify losses, such as
- reputation damage,
- loss intellectual property
- some class action lawsuits
- future losses, such as a loss of competitiveness
True or false cyber risk policies typically cover damage to electronic equipment and lost data from certain perils, such as lightning
True
What does cyber risk policies coverage usually entail under property insurance forms
Coverage usually includes the cost of restoring or replacing data that were destroyed or damaged in the same event. Coverage may also extend to cover lost data from malware, either as part of a business package policy or under a standalone policy. Availability for coverage depends on technology organizations use and their level of exposure.
List 7 specialized coverage available to cover exposures such as extortion or fraud, damage to the systems are software, or an interruption in their operations as a result of a cyber attack.
- Lost - corruption of data Dash covers the cost to replace lost or damage data caused by viruses, malicious code, or spyware
- Business interruption - covers losses that occur when an organization’s network is attacked and the organization is unable to or has limited ability to conduct business including businesses income, extra expenses, forensic expenses, and contingent business interruption
- Cyber extortion Dash covers payment or settlement of an extortion threat against an organization’s Network and the cost of hiring investigators to track down and negotiate with blackmailers
- Crisis management Dash covers the cost of notifying consumers of a release of private information, providing credit - monitoring and other remediation services in the event of a covered incident, and hiring specialty public relations assistance or advertising to rebuild the organization’s reputation following an incident
- Data reach Dash covers expenses and legal liability from a data breach, including access to services to support business owners and complying with regulatory requirements and addressing customer concerns
- identity theft covers cost of setting up a call center to specifically address customer or employee concerns when personal information of customers or employees is stolen
- Social media/networking - covers some social media liability exposures, such as online defamation, advertising, liebl, and slander
What are 5 factors to consider when recommending cyber insurance
- What security is already in place
2 what security needs to be in place
3 where are their Cloud accounts located
4 which risk can be avoid, retained, or controlled
5 which risks need to be insured or transferred
6 what kind of personal information is being stored
7 how many records with sensitive information can be accessed
8 do clients rely on third-party services or provide services to others
9 what are the possible outcomes of a data breach is not detected immediately